DHCP欺骗实验操作及防护措施

本文涉及的产品
全局流量管理 GTM,标准版 1个月
公共DNS(含HTTPDNS解析),每月1000万次HTTP解析
云解析 DNS,旗舰版 1个月
简介: DHCP欺骗实验操作及防护措施

1、实验拓扑搭建

20200730114858516.png

2、配置参数

(1)PC1

20200730115031938.png

(2)PC2

20200730115105265.png

(3)SW1配置参数

[SW1]vlan batch 10 20
[SW1]interface Ethernet0/0/1  
[SW1-Ethernet0/0/1]display this 
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 10
#
return
[SW1-Ethernet0/0/1]
[SW1]interface Ethernet0/0/2
[SW1-Ethernet0/0/2]display this 
#
interface Ethernet0/0/2
 port link-type access
 port default vlan 20
#
return
[SW1-Ethernet0/0/2]quit
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]dis thi
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 20
#
return
[SW1-GigabitEthernet0/0/1]


(4)AR1配置参数(合法路由器)

[AR1]dhcp enable 
[AR1]ip pool TV
[AR1-ip-pool-TV]display this 
[V200R003C00]
#
ip pool TV
 gateway-list 10.1.1.254 
 network 10.1.1.0 mask 255.255.255.0 
 excluded-ip-address 10.1.1.1 
 lease day 2 hour 2 minute 2 
 dns-list 202.99.99.99 
#
return
[AR1-ip-pool-TV]quit
[AR1]ip pool VT
[AR1-ip-pool-VT]dis thi
[V200R003C00]
#
ip pool VT
 gateway-list 20.1.1.254 
 network 20.1.1.0 mask 255.255.255.0 
 excluded-ip-address 20.1.1.1 
 lease day 2 hour 2 minute 2 
 dns-list 202.99.99.99 
#
return
[AR1-ip-pool-VT]quit
[AR1]interface GigabitEthernet 0/0/0.1
[AR1-GigabitEthernet0/0/0.1]display this 
[V200R003C00]
#
interface GigabitEthernet0/0/0.1
 dot1q termination vid 10
 ip address 10.1.1.254 255.255.255.0 
 arp broadcast enable
 dhcp select global
#
return
[AR1-GigabitEthernet0/0/0.1]
[AR1-GigabitEthernet0/0/0.2]dis thi
[V200R003C00]
#
interface GigabitEthernet0/0/0.2
 dot1q termination vid 20
 ip address 20.1.1.254 255.255.255.0 
 arp broadcast enable
 dhcp select global
#
return
[AR1-GigabitEthernet0/0/0.2]


(5)AR2配置参数(黑客路由器)

[HEIKE]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.
[HEIKE]ip pool IT
Info: It's successful to create an IP address pool.
[HEIKE-ip-pool-IT]gateway-list 1.1.1.254
[HEIKE-ip-pool-IT]network 1.1.1.0 mask 255.255.255.0
[HEIKE-ip-pool-IT]dns-list 202.99.99.99
[HEIKE-ip-pool-IT]lease day 2 hour 2 minute 2
[HEIKE-ip-pool-IT]excluded-ip-address 1.1.1.1
[HEIKE-ip-pool-IT]display this 
[V200R003C00]
#
ip pool IT
 gateway-list 1.1.1.254 
 network 1.1.1.0 mask 255.255.255.0 
 excluded-ip-address 1.1.1.1 
 lease day 2 hour 2 minute 2 
 dns-list 202.99.99.99 
#
return
[HEIKE]ip pool HR
Info: It's successful to create an IP address pool.
[HEIKE-ip-pool-HR]
[HEIKE-ip-pool-HR] gateway-list 2.2.2.254 
[HEIKE-ip-pool-HR]
[HEIKE-ip-pool-HR] network 2.2.2.0 mask 255.255.255.0 
[HEIKE-ip-pool-HR]
[HEIKE-ip-pool-HR] excluded-ip-address 2.2.2.2
[HEIKE-ip-pool-HR]
[HEIKE-ip-pool-HR] lease day 2 hour 2 minute 2 
[HEIKE-ip-pool-HR]
[HEIKE-ip-pool-HR] dns-list 202.99.99.99 
[HEIKE-ip-pool-HR]dis thi
[V200R003C00]
#
ip pool HR
 gateway-list 2.2.2.254 
 network 2.2.2.0 mask 255.255.255.0 
 excluded-ip-address 2.2.2.2 
 lease day 2 hour 2 minute 2 
 dns-list 202.99.99.99 
#
return
[HEIKE-ip-pool-HR]quit
[HEIKE]interface GigabitEthernet 0/0/0.1
[HEIKE-GigabitEthernet0/0/0.1]ip address 1.1.1.254 24
[HEIKE-GigabitEthernet0/0/0.1]dot1q termination vid 10
Jul 30 2020 10:42:56-08:00 HEIKE %%01IFNET/4/LINK_STATE(l)[2]:The line protocol 
IP on the interface GigabitEthernet0/0/0.1 has entered the UP state. 
[HEIKE-GigabitEthernet0/0/0.1]arp broadcast enable 
[HEIKE-GigabitEthernet0/0/0.1]dis thi
[V200R003C00]
#
interface GigabitEthernet0/0/0.1
 dot1q termination vid 10
 ip address 1.1.1.254 255.255.255.0 
 arp broadcast enable
#
return
[HEIKE-GigabitEthernet0/0/0.1]
[HEIKE]interface GigabitEthernet 0/0/0.2  
[HEIKE-GigabitEthernet0/0/0.2]ip address 2.2.2.254 24
[HEIKE-GigabitEthernet0/0/0.2]dot1q termination vid 20
Jul 30 2020 10:44:30-08:00 HEIKE %%01IFNET/4/LINK_STATE(l)[3]:The line protocol 
IP on the interface GigabitEthernet0/0/0.2 has entered the UP state. 
[HEIKE-GigabitEthernet0/0/0.2]arp broadcast enable 
[HEIKE-GigabitEthernet0/0/0.2]dis thi
[V200R003C00]
#
interface GigabitEthernet0/0/0.2
 dot1q termination vid 20
 ip address 2.2.2.254 255.255.255.0 
 arp broadcast enable
#
return
# 子接口下启用全局DHCP
[HEIKE-GigabitEthernet0/0/0.2]dhcp select global 
[HEIKE-GigabitEthernet0/0/0.2]dis thi
[V200R003C00]
#
interface GigabitEthernet0/0/0.2
 dot1q termination vid 20
 ip address 2.2.2.254 255.255.255.0 
 arp broadcast enable
 dhcp select global
#
return
[HEIKE-GigabitEthernet0/0/0.2]
[HEIKE]interface GigabitEthernet 0/0/0.1
[HEIKE-GigabitEthernet0/0/0.1]dhcp  select global 
[HEIKE-GigabitEthernet0/0/0.1]dis thi
[V200R003C00]
#
interface GigabitEthernet0/0/0.1
 dot1q termination vid 10
 ip address 1.1.1.254 255.255.255.0 
 arp broadcast enable
 dhcp select global
#
return
[HEIKE-GigabitEthernet0/0/0.1]


3、防护措施设置

使用DHCP Snooping防范DHCP欺骗攻击

DHCP 欺骗攻击过程:

1.首先攻击者伪装成DHCP客户端,发起大量的DHCP请求(可以用软件实现)。DHCP服务器收到请求后,把IP分配给伪装的DHCP客户端,由于DHCP服务器的IP地址数量是有限的,很快DHCP服务器上地址池的IP就会被消耗完,则DHCP服务器不再为其它客户端分配IP


2.第一步完成后,攻击者这时可以搭建一台DHCP服务器,则客户端的DHCP请求就会到非法的DHCP上请求IP,从而获取一个非法的IP地址。


DHCP Snpooing配置:

1.全局启用dhcp snooping

SW1-GigabitEthernet0/0/1

dhcp snooping enable

……………………………………………………………………………

2.将相应的端口(连接合法DHCP服务器的端口)划入trusted

SW1-GigabitEthernet0/0/1

dhcp snooping trusted

……………………………………………………………………………

3.SW1全局dhcp snooping和所连接的接口dhcp snooping都要开启

dhcp snooping enable

………………………………………………………………………………

4.开启dhcp snooping 防护功能时,要先开启DHCP服务(即dhcp enable)

dhcp enable

dhcp snooping enable

# 防护措施,在交换机的GE 0/0/1上设置参数
[SW1]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.
[SW1]dhcp snooping enable //全局开启dhcp snooping
[SW1]
Jul 30 2020 11:33:38-08:00 SW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 23, the 
change loop count is 0, and the maximum number of records is 4095.
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]dhcp snooping trusted 
Jul 30 2020 11:35:18-08:00 SW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 24, the 
change loop count is 0, and the maximum number of records is 4095.
[SW1-GigabitEthernet0/0/1]dis thi
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 20
 dhcp snooping trusted
#
return
[SW1-GigabitEthernet0/0/1]
[SW1-GigabitEthernet0/0/1]dhcp snooping enable 
[SW1-GigabitEthernet0/0/1]dis thi
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 20
 dhcp snooping enable
 dhcp snooping trusted
#
return
[SW1-GigabitEthernet0/0/1]
[SW1]interface Ethernet0/0/3  
[SW1-Ethernet0/0/3]dhcp snooping enable 
Jul 30 2020 11:39:08-08:00 SW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 25, the 
change loop count is 0, and the maximum number of records is 4095.
[SW1-Ethernet0/0/3]dis thi
#
interface Ethernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 20
 dhcp snooping enable
#
return
[SW1-Ethernet0/0/3]


4、PC1 获取DHCP地址

20200730121236124.png


5、PC2 获取DHCP地址

20200730121318865.png


6、中断合法AR1端口后,验证PC能否正常获取DHCP

当交换机GE 0/0/1的端口与AR1的GE 0/0/0的合法端口通信中断后,Pc1和Pc2重新获取DHCP地址时,无法获取。如图所示。

[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]shutdown 
Jul 30 2020 12:15:15-08:00 AR1 %%01IFPDT/4/IF_STATE(l)[0]:Interface GigabitEther
net0/0/0 has turned into DOWN state.
[AR1-GigabitEthernet0/0/0]
Jul 30 2020 12:15:15-08:00 AR1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
 on the interface GigabitEthernet0/0/0.1 has entered the DOWN state. 
[AR1-GigabitEthernet0/0/0]
Jul 30 2020 12:15:15-08:00 AR1 %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP
 on the interface GigabitEthernet0/0/0.2 has entered the DOWN state. 
[AR1-GigabitEthernet0/0/0]


2020073012164541.png

20200730121728221.png

20200730121756805.png

至此,防护措施已生效。

相关文章
|
1月前
|
网络协议 网络安全 数据安全/隐私保护
计算机网络概念:网关,DHCP,IP寻址,ARP欺骗,路由,DDOS等
计算机网络概念:网关,DHCP,IP寻址,ARP欺骗,路由,DDOS等
48 4
|
1月前
|
网络协议 网络安全 数据安全/隐私保护
计算机网络概念:网关,DHCP,IP寻址,ARP欺骗,路由,DDOS等
【10月更文挑战第27天】计算机主机网关的作用类似于小区传达室的李大爷,负责将内部网络的请求转发到外部网络。当小区内的小不点想与外面的小明通话时,必须通过李大爷(网关)进行联系。网关不仅帮助内部设备与外部通信,还负责路由选择,确保数据包高效传输。此外,网关还参与路由表的维护和更新,确保网络路径的准确性。
51 2
|
2月前
|
网络协议 网络虚拟化 网络架构
【网络实验】/主机/路由器/交换机/网关/路由协议/RIP+OSPF/DHCP(上)
【网络实验】/主机/路由器/交换机/网关/路由协议/RIP+OSPF/DHCP(上)
82 1
|
2月前
|
网络协议 数据安全/隐私保护 网络虚拟化
【网络实验】/主机/路由器/交换机/网关/路由协议/RIP+OSPF/DHCP(下)
【网络实验】/主机/路由器/交换机/网关/路由协议/RIP+OSPF/DHCP(下)
71 0
|
7月前
|
网络协议 网络架构
DHCP中继实验
DHCP中继实验
|
7月前
|
网络协议
DHCP实验-动态主机配置协议
DHCP实验-动态主机配置协议
|
开发工具
debian-dhcp实验(傻瓜教程)
debian-dhcp实验(傻瓜教程)
66 0
|
vr&ar
DHCP 的综合实验
DHCP 的综合实验
96 0
|
网络协议 网络虚拟化
【DHCP实验】使用三层交换机配置DHCP Server服务器(基于全局地址池配置)
【DHCP实验】使用三层交换机配置DHCP Server服务器(基于全局地址池配置)
267 0